A defender observes an application holding microphone capture capability transitioning into active microphone resource usage through Android audio APIs (e.g., MediaRecorder or AudioRecord), followed by sustained capture while the application is backgrounded or the device is locked, and subsequent outbound network traffic suggesting potential audio exfiltration or streaming.
| Data Component | Name | Channel |
|---|---|---|
| OS API Execution (DC0021) | android:logcat | Invocation of MediaRecorder.start(), AudioRecord.startRecording(), or VOICE_CALL audio source |
| System Settings (DC0118) | MobileEDR:telemetry | Microphone sensor activation or audio recording session initiated by application process |
| MobileEDR:telemetry | Application transitions to background or executes while screen locked during microphone session | |
| Application Permission (DC0114) | android:MDMLog | Application granted or retaining RECORD_AUDIO permission or privileged CAPTURE_AUDIO_OUTPUT capability |
| Process Creation (DC0032) | MobileEDR:telemetry | Application writes audio buffer or recorded audio file into application storage directories |
| Field | Description |
|---|---|
| RecordingDurationThreshold | Minimum microphone session duration before triggering detection to reduce noise from short legitimate captures. |
| BackgroundCapturePolicy | Environment-specific baseline for legitimate background microphone usage |
| CaptureToNetworkTimeWindow | Time window correlating microphone activation with outbound network traffic. |
A defender observes an application with declared microphone capability initiating microphone resource use through iOS audio frameworks, potentially during background execution or shortly after a silent wake event, followed by sustained audio capture and outbound encrypted traffic suggesting audio streaming or upload activity.
| Data Component | Name | Channel |
|---|---|---|
| System Settings (DC0118) | MobileEDR:telemetry | Microphone sensor activation or audio recording session initiated by application process |
| MobileEDR:telemetry | Application transitions to background or executes while screen locked during microphone session | |
| OS API Execution (DC0021) | iOS:unifiedlog | Invocation of AVAudioRecorder, AVCaptureSession, or related audio capture framework calls |
| Process Creation (DC0032) | MobileEDR:telemetry | Application writes audio buffer or recorded audio file into application storage directories |
| Application Permission (DC0114) | iOS:MDMLog | Application installed with NSMicrophoneUsageDescription entitlement indicating microphone capability |
| Field | Description |
|---|---|
| ExpectedAudioAppsBaseline | Allow-list of legitimate applications expected to record audio on the device. |
| BackgroundWakeCorrelationWindow | Time window correlating background wake events with microphone activation. |
| MicSessionDurationThreshold | Minimum microphone recording duration considered suspicious. |
| MicToNetworkCorrelationWindow | Time window linking microphone activation to outbound network activity. |
| UplinkBytesThreshold | Threshold for outbound traffic volume indicating possible audio upload. |